Planning for contingencies

Mary Ursula HerrmannMary Ursula Herrmann is a Network Security Analyst living in Juneau, AK. She has worked in Information Security for over 15 years, and obtained her CISSP in 2005.

Last week, I talked about what to do if your security vendor is hacked. I've already talked about what to do if your organization itself is hacked, but it's worth going a little deeper into the subject and talking about contingency planning and management.Books can and have been written about contingency planning, but probably the most important thing about it is that you should be able to test your plan. For instance, simply having something in your overall security policy that says “If a fire takes out the server room, Joe is in charge” is not enough. When the server room is actually on fire is not the time for Joe to be deciding what he should do next. This may seem obvious, but you need to know what is going to happen, every step of the way, right down to the smallest detail. There's always going to be something you didn't anticipate, so you need to plan for everything that you can anticipate, and then test that plan.A contingency plan should be updated and tested at least yearly, because you can't assume that everything around your organization, including local laws or your vendors' policies, are going to stay the same from year to year. You'll want to check things like mobile and home phone numbers for your own personnel, and whether or not your contacts at vendors or backup sites have changed. The plan should also be tested on a yearly basis, around a conference room table at the very least. The person in charge or updating the plan will propose a scenario - such as the server room fire - and each team leader will state what they and their team will do in response. I've discussed testing in the past as well.It's unlikely that either your plan or your testing will be perfectly smooth at first, and that's to be expected. Make changes to your plan based on the lessons learned from your initial testing, and continue to refine it over time. Even if the particulars of your plan change over time, because of relocation or changes in personnel, after a while the testing should go more smoothly because it's familiar. There's no way to predict when or how an emergency situation will occur. But the more prepared you are for it, through creating and testing a contingency plan, the better your organization will weather it.

Morning Roundup

Business headlines from Crain's Cleveland Business and other Ohio newspapers — delivered FREE to your inbox every morning. Sign up for the Morning Newsletter.